Mystery Over PC-To-Mobile Trojan Ticks Off Researchers

Anti-virus researchers complained Wednesday that a group claiming to have proof of the first PC-to-mobile Trojan hasn't shared the sample, a normal practice among security investigators.

Monday, the Mobile Antivirus Researchers Association (MARA), which bills itself as a non-commercial collection of mobile malware researchers, said it had anonymously received malicious code it dubbed "Crossover." The sample, said MARA, could cross-infect a Windows Mobile Pocket PC from a desktop PC running Windows.

According to MARA, the first-of-its-kind Trojan spreads to the mobile device via Microsoft's ActiveSync, then erases all files in the My Documents directory of the Windows CE- or Windows Mobile-based gizmo.

But unlike the usual practice where virus researchers share samples, MARA's not willing to let others see the code, no-strings-attached, say some commercial researchers. They're left without a way to confirm Crossover's existence or MARA's claims, or update their own signatures to defend against the attacker.

"You have to join MARA to get a sample," said Graham Cluley, senior technology consultant with U.K.-based security company Sophos. "They'll share only with members of their club."Cluley has a problem with that on several levels.

"Their terms and conditions are unacceptable. For example, if we're a member, any other member can request any sample from us, and we have 24 hours to provide the source code."

That step toward legalizing a gentleman's agreement irked Cluley. "The other day, Kaspersky Labs found a new Trojan. We called them up and asked for a copy, and they sent us a sample so we could add detection to our products. But as researchers, we don't have any contracts between us. We share because it's the right thing to do."

Cluley also said Sophos was "nervous" about MARA because 2 of its 12 members have co-authored papers with "Ratter," a member of the infamous 29A hacker gang. In those papers, Cluley said, MARA members Seth Fogie and Cyrus Peikari "published source code of mobile and PDA viruses."

Some of Fogie's and Peikari's articles have also been posted on an underground virus exchange site, Vx Heavens, said Cluley."No member of the mainstream anti-virus community would associate themselves with virus writers, or publish virus source code," he added.

In the past, MARA's Fogie and Peikari have accused that mainstream of being a "closed priesthood" which tried to keep proof-of-concept code and defensive technologies secret. Wednesday, MARA repeated those charges in an e-mail to TechWeb after declining a telephone interview. "I understand that antivirus companies may want to protect their bottom lines by limiting collaboration," MARA member Jonathan Reed wrote in his e-mailed response. "But in the end, this form of 'closed priesthood'" might not be beneficial."

Nor does Reed have any sympathy for security researchers who refuse to abide by the group's terms, then complain that they can't get a sample of the Trojan.

"A small number have arrogantly said, 'we're the experts, not you, so hand it over right now.'" Reed said. "Some of them have even tried to bully individual members into bypassing the proper protocol. That is unfortunate, since it would be illegal to distribute malware without a signed agreement in place. There has to be a chain of custody in place."

MARA's refusal to share left Cluley wondering just what was up."What seems really strange is that if you had proof-of-concept code for a Trojan like this, why would you send it to just MARA? If I was a virus writer, I would send it to, say, F-Secure, which has done all kinds of work on mobile viruses. I'd send it to all the known names in the business."

Cluley said that the Trojan "probably" is real -- though without a sample he can't be sure -- but said the whole incident "leaves a bad taste in the mouth."

"There have been lots of stories in the media about this [Trojan]," he said. "And that's driving people to MARA's Web site. But it doesn't look like the news is really helping anybody else."

MARA's Reed countered that the Trojan wasn't "in the wild," and because there's no danger, anti-virus companies don't need a sample.

But he held out a small olive branch. "Hopefully, we can work together to make a safer environment for all users."0